Transfer of data and samples – What are Data Transfer Agreements and Material Transfer Agreements?

According to Article 44 of the GDPR, international transfers of data are “[…] dependent on the satisfaction of three conditions: (1) the transfer is subject to ‘the other provisions of this Regulation’; (2) ‘the conditions laid down in this Chapter are complied with by the controller and processor’, including those relating to onward transfers; and (3) ‘all provisions in this Chapter’ are applied in order to ensure that the level of protection contained in the GDPR is not undermined.”^[10].

When data processing is due to involve a transfer of personal data to third countries, this is an element that data subjects should be made aware of “[…] at the time when personal data are obtained […]” (article 13(1)(f)) and is information which can be accessed, by the data subject, at any given moment (Article 15(1)(c)). Access to this information is possible as data controllers (and, mutatis mutandis, data processors) are required to maintain a record of processing activities, and the GDPR places great emphasis over the obligation to record the categories of recipients of personal data when these are located in third countries as well as information pertaining to the international data transfer itself (Article 30(1)(d), (e)). The GDPR has introduced special safeguards for transfer of data to third countries and international organisations. Such safeguards are described in article 46 and may include may consist of making use of binding corporate rules (Article 4(20)) or standard data protection clauses adopted by the Commission. Importantly, data subjects have the right to be informed regarding the implementation of these measures, pursuant to Article 15(2) of the GDPR.

The EU’s Adequacy Decisions, pursuant to Article 45 of the GDPR, cover international data transfers to countries such as Argentina, Israel, Japan and Switzerland^[11]. Such decisions are subject to periodic review (Recital 106 and Article 45(3)) and may be repealed, amended or suspended, in accordance with Article 45(5). In those cases where the Commission has not enacted an Adequacy Decision, international transfers of data are subject to Appropriate Safeguards (Article 46). Lastly, if the international transfer does not meet the requirements of either article 45 or 46, the GDPR provides a list of exceptions (derogations) – Article 49 – which may be used in specific situations.

Further steps regarding the transfer of personal data will be taken through the adoption and implementation of the European Health Data Space (EHDS) Regulation^[12] (vide Articles 88 (Third country transfer of non-personal electronic data), 62 (International governmental access to non-personal electronic health data) and 90 (Additional conditions for transfer of personal electronic health data to a third country or an international organisation), for example). The EHDS Regulation does not govern transfer of samples.

1.2. Transfers of samples

As for transfers of samples, applicable legislation within the EU / EEA^[13] includes the EU’s Commission Directive (EU) 2015/565 of 8 April 2015 amending Directive 2006/86/EC as regards certain technical requirements for the coding of human tissues and cells which introduced the “Single European Code” or “SEC”, a unique identifier applied to tissues and cells distributed in the Union (Article 1). Such a code “[…] should be allocated to all tissues and cells distributed for human application, including those imported from third countries […]” (Recital 6)^[14]. Nevertheless, as Member States may implement exemptions to this general rule (recital 6, in fine), national legislation should be considered (Article 10). Also, as the EU legal instrument on this subject is a Directive, transposition into national legal frameworks will also have been different, thus reinforcing the fact that Member States’ issued guidance and legislation has to be taken into account.

Regarding these national rules, the applicable instruments may vary depending on the purpose of the sample transfer. Although – as mentioned – Directive (EU) 2015/565 applies to tissues and cells intended for human application, samples due to be transferred may be intended for research. The sample type (pathogenic or non-pathogenic, for example) may also influence the nature of the applicable legislation. If a sample is pathogenic, and thus represents a biosafety hazard, its import/export may require the fulfilment of additional requirements, such as complying with labelling, transport and packaging regulations.

Recently, another EU-enacted Act, a Regulation regarding substances of human origin[15] (SoHO, as defined in Article 3(1)) intended for human application (not research[16]) also governs some aspects regarding transfers of SoHO within the EU and import and export of samples to third countries. In fact, the Regulation defined “release” as the process where quality and safety (as well as fulfilment of conditions of any applicable authorisation) of SoHO are ascertained prior to a SoHO being made available for distribution or export (Article 3(26)). While distribution refers to providing, within the EU, SoHO for human application or manufacture of products regulated by other Union legislation (Article 3(27)), export refers to the activities carried out to send SoHO from the EU to a third country (Article 3(30)). The SoHO Regulation has provisions regarding the implementation of the SEC (Article 43), requirements for SoHO entities who import SoHO (Articles 26, 47 and 48), and general requirements for SoHO exports (Article 51).

The Regulation also introduces the concept of SoHO establishment (Article 3(35)), i.e., a SoHO entity (Article 3(33)) that carries out at least one of the following: processing and storage of SoHO, SoHO release, SoHO import and SoHO export. SoHO establishments will be subjected to regular inspections (as defined by Article 3(52) and detailed in Article 27) by competent authorities and are required to apply for a SoHO establishment authorisation (Article 24). SoHO establishments are required to appoint a physician, who will be responsible for tasks including, but not limited to, management of SoHO donor eligibility criteria and some aspects relating to SoHO adverse reactions (Article 50). If they release SoHO, SoHO establishments have to appoint one or more releasing officers (Article 49), highly qualified professionals who ascertain whether the SoHO meets the set quality and safety criteria (Article 48(5)). Additionally, those SoHO establishments that import SoHO from outside the EU/EEA need to apply for a specific authorisation for importing SoHO establishments (described in Article 26) and to put in place written agreements with suppliers (Article 48(2)).

Apart from this Regulation, exports to EU MS and to third countries are regulated at the national level.

In summary, a concise and simplified overview of the status quo:

2. Conclusion

With this context in mind, Data Transfer Agreements (DTA) and Material Transfer Agreements (MTA) are contractual agreements invaluable for the governance of sample and data access. Whilst DTAs cover the transfer of data itself, an MTA is “[…] a contract which sets out the rights and obligations with respect to the use of a biological sample. These samples may include cultures, cell lines, plasmids, nucleotides, protein, bacteria, transgenic animals and pharmaceuticals, inter alia. These agreements may cover a wide range of materials, including data and software.”^[17].

Sources:

[1] According to the interpretation of the CJEU’s judgements on this subject, it is suggested that ‘transfers’ involve both actively sending data as well as granting access to it. Vide The EU General Data Protection Regulation (GDPR), edited by Kuner, C. / Bygrave, L. A. / Docksey, C., Oxford University Press, 2020, pp. 762-763.

[2] Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells.

[3] Regulation (EU) 2024/1938 of the European Parliament and of the Council of 13 June 2024 on standards of quality and safety for substances of human origin intended for human application and repealing Directives 2002/98/EC and 2004/23/EC.

[4] General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The GDPR is a text with EEA relevance. Additionally, it is included in Annex XI of the EEA Agreement (vide §5e).

[5] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, available from: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data | European Data Protection Board (europa.eu) (accessed: 28/06/2024).

[6] Judgement of the Court (Grand Chamber), 16 July 2020, Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, available from: https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=11541895 (accessed: 28/06/2024).

[7] European Data Protection Board, Op. Cit., pp. 3 and ff-. The “six-step approach” is a series of recommendations issued by the EDPB “To help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of assessing third countries and identifying appropriate supplementary measures where needed […]”. Ibidem, pp. 3 and ff.

[8] General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The GDPR is a text with EEA relevance. Additionally, it is included in Annex XI of the EEA Agreement (vide §5e).

[9] It has been acknowledged that “[…] while the “level of protection” in the third country must be “essentially equivalent” to that guaranteed in the EU, “the means to which that third country has recourse, in this connection, for the purpose of such a level of protection may differ from those employed within the [EU]”. Therefore, the objective is not to mirror point by point the European legislation, but to establish the essential – core requirements of that legislation”. In: Article 29 Data Protection Working Party, Adequacy Referential (updated), Adopted on 28 November 2017, (As last Revised and Adopted on 6 February 2018) available from: https://ec.europa.eu/newsroom/article29/redirection/document/57550 (accessed: 01/07/2024), p. 3. Vide also Judgment of the Court (Grand Chamber), 6 October 2015, Case C‑362/14 – Maximillian Schrems v Data Protection Commissioner, available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0362 (accessed: 28/06/2024).

[10] The EU General Data Protection Regulation (GDPR), edited by Kuner, C. / Bygrave, L. A. / Docksey, C., Oxford University Press, 2020, p. 762. Regarding the procedure of Adequacy Decisions vide Op. Cit., pp. 784 and ff.

[11] Further information: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (accessed: 28/06/2024).

[12] Regulation of the European Parliament and of the Council on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847. Current text available here: https://data.consilium.europa.eu/doc/document/PE-76-2024-INIT/en/pdf (accessed: 04/02/2025).

[13] The infra mentioned EU legal instruments are all marked as texts with EEA relevance. Additionally, they are included in Annex II of the EEA Agreement.

[14] European Commission, Health and Food Directorate-General, Information for Competent Authorities and Tissue Establishments on the Implementation of the Single European Code (SEC) for Tissues and Cells, Version 1.0, February 2016, pp. 13 and ff. Document available from: 5e0f27ff-9f5b-4c6e-9c1c-1adccc28cef3_en (europa.eu) (accessed: 01/07/2024).

[15] Regulation (EU) 2024/1938 of the European Parliament and of the Council of 13 June 2024 on standards of quality and safety for substances of human origin intended for human application and repealing Directives 2002/98/EC and 2004/23/EC.

[16] The SoHO Regulation “[…] is not meant to cover research using SoHO when that research does not involve human application […]” (recital 60, emphasis added). Nevertheless, “[…] the donation of SoHO that will be exclusively for use in research without any human application should also comply with the standards concerning voluntary and unpaid donation set out in this Regulation” (recital 60, in fine). This reinforced within the body of the legal act, specifically in Article 54(6).

[17] Christ, Hedley. “Brexit Effects: What Are the “Brexit Effects” on the Exchange of Data and Biological Samples with the UK?.” GDPR Requirements for Biobanking Activities Across Europe. Springer International Publishing, 2023, pp. 71-78, p. 77.